Detect Gogs Path Traversal Vulnerability (CVE-2025-8110) in Google Chronicle
Detects exploitation attempts targeting CVE-2025-8110, a path traversal vulnerability (CWE-22) in Gogs self-hosted Git service. Attackers can craft malicious HTTP requests containing directory traversal sequences to read arbitrary files outside the intended web root, potentially exposing sensitive configuration files, SSH keys, or repository data. This vulnerability is listed in the CISA KEV catalog indicating active exploitation in the wild.
MITRE ATT&CK
YARA-L Detection Query
rule gogs_path_traversal_cve_2025_8110 {
meta:
author = "df00tech Detection Engineering"
description = "Detects path traversal exploitation attempts against Gogs (CVE-2025-8110)"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-8110"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.network.http.method != ""
(
re.regex($e.network.http.request_url, `(\.\./|%2e%2e%2f|%2e%2e/|\.%2e/|%252e%252e|%2e%2e%5c)`) or
re.regex($e.target.url, `(\.\./|%2e%2e%2f|%2e%2e/|\.%2e/|%252e%252e)`)
)
(
strings.contains($e.network.http.request_url, "app.ini") or
strings.contains($e.network.http.request_url, "/etc/passwd") or
strings.contains($e.network.http.request_url, "/etc/shadow") or
strings.contains($e.network.http.request_url, "id_rsa") or
strings.contains($e.network.http.request_url, ".ssh") or
strings.contains($e.network.http.request_url, "conf/app.ini")
)
$e.principal.ip = $src_ip
match:
$src_ip over 5m
outcome:
$risk_score = max(85)
$event_count = count_distinct($e.network.http.request_url)
$target_host = array_distinct($e.target.hostname)
condition:
#e >= 1
}Chronicle YARA-L rule detecting Gogs path traversal attempts by monitoring HTTP events for directory traversal sequences combined with Gogs-specific sensitive file targets in the request URL.
Data Sources
Required Tables
False Positives & Tuning
- Security scanning tools integrated with Chronicle that test for traversal vulnerabilities
- Legitimate file path references in Gogs API calls that contain dot sequences
- Chronicle ingestion pipeline normalization artifacts causing URL encoding mismatches
- Git operations via HTTP that include encoded path separators in repository paths
Other platforms for CVE-2025-8110
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Basic Gogs Path Traversal - Read app.ini
Expected signal: HTTP GET requests to Gogs port (3000) with ../ and %2e%2e sequences in URI visible in access logs; 200 response with app.ini content if vulnerable, 400/403/404 if patched or WAF blocks
- Test 2Gogs Path Traversal - SSH Key Extraction
Expected signal: HTTP requests with mixed encoding traversal patterns (%2f for /) targeting .ssh and id_rsa paths; response codes and body sizes indicate exploitation success or failure
- Test 3Automated Gogs Traversal Scan with Multiple Encoding Variants
Expected signal: Burst of HTTP requests from single source IP within seconds, each containing different encoding variants of traversal sequences; some requests may return 200 with file content if instance is vulnerable
Unlock Pro Content
Get the full detection package for CVE-2025-8110 including response playbook, investigation guide, and atomic red team tests.